Should a retailer’s systems integrator be PCI compliant?
When a retailer engages a systems integrator (SI) to build a new ecommerce system, the SI is given unprecedented access to internal systems and customer data. How can a retailer ensure the SI is not exposing the company to security risks? Should the retailer look for a PCI compliant SI?
The Payment Card Industry Data Security Standard (PCI DSS) was created to increase controls around cardholder data and reduce fraud, and compliance to the standard imposes mandatory best practice behaviours. These include policies on protection from malicious code, to data retention and secure destruction. Compliance authorisation is performed by an independent Qualified Security Assessor (QSA), so if you engage a PCI compliant SI, you can have confidence that the people you are allowing to access your systems are operating to the highest security standards.
Is PCI compliance important, even if you do not store credit card data?
It is not just credit card information that is at risk, but also your customer data and reputation. By letting your customers access and store their confidential information, you are a target for those who would profit from it or take pleasure in causing disruption.
The loss of reputation and trust alone can be fatal for an organisation, as was seen with DigiNotar in 2011. If you are unfortunate enough to have card information accessed, the credit card companies can apply fines of up to $50 per card.
There is no doubt that attackers are after your data. Security patch releases for technologies are regular and whilst highlighting vulnerabilities to user communities they also highlight them to the hackers, who can then sweep the web looking for systems on the vulnerable version to exploit.
Your application support partner needs to be monitoring the forums for the technologies they are implementing, so they can deliver zero-day patches before you get caught out.
Protection is very difficult; even the Information Commissioner (ICO) was hacked in 2014 along with many major retailers and brands.
Unsurprisingly, security is not the first thing businesses want to discuss when planning a new ecommerce website. Even when there are non-functional requirements’ workshops taking place, the security elements are often limited to high level statements without plans to monitor or test them.
The real benefit of a PCI compliant systems integrator is that they can use their expertise to help you make the right decisions about security standards and levels during the design phase; you are not expected to set the security stipulations for your SI to follow.
For the application development team within your partner SI, the policies mean clear and demonstrable approaches to secure programming. These include education and code review of the most critical web application security flaws, such as the OWASP Top 10, along with the appropriate levels of encryption and a rigid change control policy.
An increase in attacks and the understanding of vulnerabilities has still not lead to a wholesale change in attitudes towards security.
Although OWASP and PCI compliance are not formally linked, a website will not qualify for PCI compliance if it has any of the OWASP top 10 vulnerabilities. And despite OWASP being in its 14th year, 87% of web applications are still found to be non-compliant. By using a PCI compliant SI, you can prevent your website from ending up in the majority group.
The mitigation of these security risks requires a heavy investment to ensure the correct education, monitoring and QA of known vulnerabilities and protection of known exposures. Retailers and brands that put themselves through the PCI process and ongoing reviews, do so because they recognise the importance of secure systems to their customers and the business, and are prepared to make that investment.
Ultimately, if you take your business seriously, you will want to work with a company who takes your website security seriously, a PCI compliant systems integrator.